摘要： 为提高木马程序的网络通信检测率，在比较各种包截获技术优缺点的基础上，设计并实现一种基于NDIS Hook驱动的木马通信检测系统，给出主要模块和数据结构，提出基于网络通信行为分析技术的木马通信识别模型。测试结果表明，该模型能降低误报率和漏报率，可截获所有网络通信数据包，识别新的木马通信。

关键词: 木马, 包截获, NDIS Hook驱动, 木马通信识别

Abstract: To enhance network communication detection of Trojan program, this paper designs and realizes a Trojan communication detection system based on NDIS Hook drive on the base of comparing advantages and disadvantages of various packet capture technology. It gives main modules and data structures, proposes Trojan communication identification model based on network communication behavior analysis technology. Test results show that this model can decrease false positive rate and negative positive rate, acquire all network communication data packet and identify new Trojan communication.

Key words: Trojan, packet capture, NDIS Hook drive, Trojan communication identification

中图分类号: 

• TP393.08